by Corey Nachreiner, WatchGuard Network Security Analyst, and Scott Pinzon, LiveSecurity Content Editor
“Avast! Belay the port jib, and scupper the mains’l on the poop deck!”
This means something important to pirates. (Possibly.) It also illustrates how every industry has its own jargon, rich in technical meaning to insiders, but often impenetrable to outsiders. And the first time you hear a network geek tell you, “Of course the device can’t be found, because its MAC address isn’t in the ARP table,” well, you just wanna keelhaul that bilge rat on the lee side of a mizzenmast.
A more effective and less violent response would be to learn these important terms. Devices on a network don’t immediately become aware of the existence and location of other devices on the same network. If you’ve ever wondered how they discover one another, then you’re ready to enter the not-really-that-mysterious world of NIC, MAC, and ARP (pronounced as words, not as spelled-out letters). Full speed ahead, matey!
Two addresses in one
To explain NIC, MAC, and ARP, we’ll start with one computer: yours. We’ll call this desktop system Redbeard, one of several computers on a LAN.
You’re probably aware that Redbeard has an Internet Protocol (IP) address. (If this concept is new to you, first read Foundations: Understanding IP Addresses and Binary.) An IP address acts like a mailing address to help other computers deliver network traffic to Redbeard. But IP addresses also present complications. Some addresses are static, meaning, more or less permanent. But other IP addresses are dynamic, meaning, assigned on the fly from (and returned to) a range of IP addresses (for example, 192.168.0.1 – 192.168.0.254). Dynamic IP addressing is part of what enables you to take your laptop somewhere new, connect to the Internet, and receive IP traffic. When you do so, somewhere a DHCP server has dynamically allocated a temporary IP address to your laptop.
So with machines coming and going on networks, and IP addresses ever changing, how do other computers on your network find Redbeard? The secret (well, not really a secret; just a fact that veteran administrators know so well, they forgot to tell you) is this: every networked device actually has two addresses. One is the IP address, which might or might not change. The other is the MAC address, which typically does not change.
MAC is just my NIC name
When you connect a computer to your Ethernet LAN, do you know what you’re plugging the Ethernet cable into? From the outside, it looks like you’re plugging it into a metal case, but you’re not. Inside the case is a Network Interface Card (NIC). A NIC is a special hardware card within any networked device (computer, printer, router, etc.) that handles all the technical aspects of sending and receiving data packets over a computer network.
Like your mailing address at home, your computer’s NIC has a unique address. This addressmust be unique in all the world. Otherwise, network traffic couldn’t find its way to the right computer.
The distinctive address that identifies a NIC is called the Media Access Control (MAC) address. A MAC address is a unique character string, and since it identifies a specific physical device — one individual NIC — the MAC address, by convention, never changes for the life of the NIC. Two NICs never have the same MAC address (unless some manufacturer screws up royally [which has happened]). Because your NIC’s MAC address is permanent, it’s often referred to as the “real,” or physical, address of a computer.
A MAC address is formatted as a six-byte, hexadecimal number, like this:
00:90:7F:12:DE:7F
In hexadecimal notation, it takes merely two characters to represent a byte. Each byte in a MAC address is separated by either a colon (:) or a hyphen (-).
You don’t get to assign MAC addresses the way you do IP addresses. Instead, manufacturers pre-program a chip on each NIC with its exclusive MAC address. The IEEE Standards Association assigns each NIC manufacturer a special three-byte code, called an Organizationally Unique Identifier (OUI, which you should not confuse with the men’s magazine of the same name — trust us), which identifies that particular manufacturer. The first half (three bytes) of any MAC address expresses this manufacturer code. For example, taking the OUI in the MAC address shown above, you can look up 00:90:7F on IEEE’s OUI registry and find that 00:90:7F indicates a NIC from WatchGuard.
The second half of a MAC address differentiates one NIC from another. The NIC manufacturers ensure that the MAC address for each NIC they ship ends with a unique three-byte number. This is feasible because a three-byte hexadecimal address offers over sixteen million possible variations.
The yin and yang of MAC and IP
MAC addresses seem pretty cool, right? But you have no control over what MAC addresses will be in the devices you purchase, and you normally can’t alter them, so it’s impossible to organize anything by MAC address. MAC addresses are not routable, either; in other words, Internet protocols will not accept a MAC address as a destination (for one thing, it’s two bytes longer than an IP address). The MAC concept doesn’t scale. So you only utilize MAC addresses locally, not across a router.
IP addresses, on the other hand, scale extremely well. On your private network, you can slice ’em into ranges that make sense to you (known as subnetworking, or subnetting). You can decide at a whim what IP address any device or group of devices should have.
So what we have is yin and yang. The malleable IP address gives your network some flexible manageability. The never-changing MAC provides a specific, reliable address for a physical device.
Or you could say, we have the long and the short of it. IP addresses route a packet across the whole global Internet, while MAC addresses help the packet make the small, local hop between hardware devices. Sophisticated networking is possible because each of your networked devices has both a MAC and an IP address.
Network Roll Call: ARP
We began by wondering, “How do devices on a local network become aware of one another?” NICs and MACs are important pieces of the answer, but your network must learn to pair a MAC address with the IP address for the same machine. It does so using a technique called Address Resolution Protocol (ARP, pronounced like a pirate with the hiccups).
Think of ARP as network roll call. Remember the first day of fourth grade? At the beginning of class, the teacher called from a list of names, expecting you to reply when she called yours. She did this to associate your name with your face. Every kid heard every name, but answered only to his or her own name. ARP uses a similar technique to associate an IP address to the MAC address.
Let’s assign Redbeard the IP address, 192.168.39.101, and suppose its NIC has the MAC address, 00:A0:24:30:2E:13. And suppose you need to send a file to Larry in Accounting — or more literally, to his computer, Beancounter. When Redbeard attempts to send Beancounter a file, Redbeard first obtains Beancounter’s IP address. Upon seeing that the IP address is local (on the same subnetwork), Redbeard knows he is capable of sending the file to its destination, if he learns the “real” (MAC) address associated with that IP address. To learn the MAC address, Redbeard does what your teacher did on the first day of school. He calls out to the entire local network asking that the computer with the IP in question reply “Here!” with a MAC address.
Let’s say that Beancounter has the IP, 192.168.39.148. To find the MAC address for Beancounter, Redbeard would send the following (simplified) ARP request:
| From: (Redbeard’s MAC address) |
To: (Broadcast address) |
Packet Content |
|---|---|---|
| 00:A0:24:30:2E:13 | FF:FF:FF:FF:FF:FF | Who has 192.168.39.148? Tell 192.168.39.101. |
Notice the special address in the “To” field above. That special address (all Fs) is the MACbroadcast address. Anything sent to that address goes to every computer on Redbeard’s LAN segment. All those computers receive the message, but ignore it, because it doesn’t pertain to them — with the exception of Beancounter. Because Beancounter is 192.168.39.148, it replies with its MAC address, like this:
| From: (Beancounter’s MAC address) |
To: (Redbeard’s MAC address) |
Packet Content |
|---|---|---|
| 00:A0:24:30:4C:23 | 00:A0:24:30:2E:13 | I have 192.168.39.148 |
Now Redbeard has “resolved” the IP address 192.168.39.148 to its MAC address, 00:A0:24:30:4C:23. Redbeard can send files directly to the correct piece of hardware that accepts network traffic on behalf of Beancounter (Beancounter’s NIC). Bonus: Beancounter also remembers Redbeard’s IP address and MAC address, because they were part of Redbeard’s initial ARP request.
This entire process we’ve just described is what geeks mean when they say “it’s ARPing for a MAC address.”
I’ve got your number
Having successfully ARPed, Redbeard stashes the newly-learned MAC/IP pair in an ARP cache. The ARP cache is a small segment of memory your computer reserves to temporarily store a table of MAC addresses and their associated IP addresses. Your computer keeps this table for efficiency so that it doesn’t have to keep broadcasting ARP requests to computers it has already queried. If Redbeard needs to send something else to Beancounter soon, Redbeard will obtain Beancounter’s MAC address from Redbeard’s own on-board treasure trove, the ARP cache.
However, the ARP cache sometimes becomes a problem. Every device on your LAN maintains its own ARP cache. Routers, in particular, do not update their ARP cache as frequently as computers. When you replace an old device on your network, the local router might not find the new device because it’s relying on data in the ARP cache that is now outdated. (This is a common issue when routers cannot find a newly installed Firebox.) That’s why you should flush your router’s ARP cache when installing a new device for the first time (your router’s manual should tell you how).
Pirates pronounce it, “ARrrrrrrrP!”
You’ll rarely have to deal with ARP and MAC during day-to-day operations. Mostly, they work behind the scenes and require very little administrative attention. However, sometimes you encounter problems where understanding MAC addresses and the ARP protocol becomes helpful in troubleshooting network issues. One form of hacker attack even involves feeding bad data to ARP tables, a practice known as ARP poisoning. So a little investment in learning about NIC, MAC, and ARP may prevent your network from careening into Davey Jones’ Locker — plus, your mastery of jargon will impress your fellow hearties sailing the Internet’s bounding main.
References:
RFC 826: An Ethernet Address Resolution Protocol
Overview of ARP
Talk Like a Pirate Day
Pirate Jargon Definitions
Sourabh Jain 
quite interesting, heard it before but still interesting.